Overview

overview

10

Static

static

5

0b7ee90ebf...5N.exe

windows7-x64

3

0b7ee90ebf...5N.exe

windows10-2004-x64

3

$PLUGINSDI...nt.dll

windows7-x64

3

$PLUGINSDI...nt.dll

windows10-2004-x64

3

$PLUGINSDI...nd.dll

windows7-x64

10

$PLUGINSDI...nd.dll

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

10

$PLUGINSDI...te.dll

windows7-x64

3

$PLUGINSDI...te.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...om.dll

windows7-x64

10

$PLUGINSDI...om.dll

windows10-2004-x64

10

$PLUGINSDIR/xml.dll

windows7-x64

10

$PLUGINSDIR/xml.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/System.dll

  • Size

    67KB

  • MD5

    bd05feb8825b15dcdd9100d478f04e17

  • SHA1

    a67d82be96a439ce1c5400740da5c528f7f550e0

  • SHA256

    4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

  • SHA512

    67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

  • SSDEEP

    1536:2IfbmtOpUtoqoQvfDrghNT+2w8mbJ1/NfSttVx:bfi4GoqVvbaNXubJ1JI

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 224
        3⤵
        • Program crash
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9526ffff9eaf9c18a90c409a67078d37

    SHA1

    95e691d8b1b992553760005e0ec5f87484394933

    SHA256

    c0551428f717aaffeb12c4001a1f46b5f61480226e0ea918a9518129cb0ae6fe

    SHA512

    e73ef2b81d9916b80b66d93c1c343341dd2bce8f696e11383700c51069b156c15ce0281d5fee8dda3eb96d6488f87d3db08211b1798e730b59a0b670bacc2a6f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8200ca4859f85f07fd477f3522b490e3

    SHA1

    1267c9249c7310d14033caeffd86d333603c2ae7

    SHA256

    ee810efbf681580a35b704d5d22111f900f2b9fd40f241632325e3515fe4cc18

    SHA512

    eaa035ac3d402d0317fd15f69ffd7c1655beb1a782ec8d644dea6a719bd1d4fe32a5392ec8a39420a9e10b45c9c2f002701b1faba768ba24da9de39fbcc281c4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    59d9025cb2c4fbee67dc12d7f47e12bf

    SHA1

    5467fe8ee13637882ac53a1a717e690cb1dee92a

    SHA256

    76678fc469f286f9eea0a8f890d4b36e082b7f75cfc866fc7c41655b3c217afe

    SHA512

    f335b77e959312753fa097b28a6e7d2c76aedafdf21ee10788fcc287b831f58f70a2c6f4ccd6c38a4bd7ebde10db0ea36374b6649163b623a12e3f8eaee80a9f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b746fb4f73772ba87a2c8503a02c04c8

    SHA1

    5835386688814647b13873deb6b529fc8568ec46

    SHA256

    513e863de20b1d7fee4b6af4eaed2a17be9357dc882e333b35e6ce3c5eca16a6

    SHA512

    bc8b9df8d71eeee0e5d2ed839e1790a319dcba9110b9d8716b8d015927d8895fe631e11c300a961c5e06344185f14ac7612adaa4b4d6070975ad351fd6ff42ed

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    294eee7b152583ff19ebc6dc2e050746

    SHA1

    cb474b25b254baab6a9561f9a665c456e27159bc

    SHA256

    b5f2871c1e16de4b27efbc56e05923bce2785745fc2326aebdfc1f127fb73b9a

    SHA512

    69623ce749c8277a7fd6209e1319fb152a509dac600d53547b3ed6563d97072eb5b72027df6ea84a3217ac850108600140a2e043777e7955017eee74c8489cbb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    469bd1c199d128d420c7707791f7de9c

    SHA1

    e4b794e62aa3f5b2a4b513de8246ea3809c561af

    SHA256

    e37e037721ecb113a4f488ca4541263568def08aa90649f6212bb3bee8991053

    SHA512

    df1f2f0f51df98c84f135c1890c7a53bb6c5686916dcee173516e577b6c694cf2f101729ee0876f3bf2e4e77468c1ff7e0ef9498ab77c0f8782e69b19787b027

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1a17ae4bbcb8583f236e0542f8c6a19b

    SHA1

    f5ee8215c63e9f45074a0da0af6aa1114893aaae

    SHA256

    d26b0f61b88cb3eb4e0efab986adaf51fab4d578c9f71adf9603046250f10cab

    SHA512

    08689f70c5b0bec036962b873a3ee41e1ff40d25fb13ff06be75dd5cfac1cef1cf942fa95ce2e05cf921c81c8c16c1abeb68088c305bb9e1dc0e8ad93c2f04a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    07b059df85a7d0b2afd2ead2bc1b4858

    SHA1

    1325960f96192819e91138a7043a5d5a8f2cd814

    SHA256

    75c1e3ef9ed6e6f656cb833eb39da4503d00ec81cd416e84e3aaa533374c5790

    SHA512

    eb949fb80400340e29979e1f7f4fab17e9116a822fea149800156f0916cedb87bb00487ff7f5051f8a10c78236142cab8c6979905a5efb7e51177e524df130ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    845947cd6507bbc854c90c417e943893

    SHA1

    aa20d997fd47082d769fd495bc29708561ca7a6a

    SHA256

    041d4cfcd43bed93e72876b9ad109987db60992fe2d78564367d21b6260a510c

    SHA512

    e3ef547f8d835f75aad081374ccf4aac31f680d2adfa56f7b01930eedb32e7ba5fe3c917c8206f21b035a863b9a1625b822b1d824467f902903a81186d9dff13

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5f2b30cdedd0c79bae5e2842ab5cca77

    SHA1

    673102cbef5fa3463f6e5579a330f61336b43e9e

    SHA256

    543efd5ef7d58d09c24803c9da017fda09e4fbd3a5fcd0db7cc54ca9aaa59279

    SHA512

    1a22e512a0da25eaf1b5f0c469bc118ea8aacc671a7cea7555a7f93a9e40fff8df70cbe17936f7fce9d2daaa4201a7cc2e6971ed2e30ea252d1d2a9ead66de56

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    151a140460f8266495a8bb9bc013b515

    SHA1

    15ffbc93873faaadc03cfc60088a6b860e68a15c

    SHA256

    e556183fe98eed5afa3ebe9fa41c7e431a2168ab9681c21596d3b9cb5885bc74

    SHA512

    94b5d755b9c6bc45f67e0ad3b3ee31e6e30d091b6d89a895d4b22416cb992725fa3e072a4a7c0980c7260a8acca021d5413ac0022e55d82a8006185b66a28f43

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fd61ea543ea87163a6acedaf12dfd8ce

    SHA1

    35d7903e8ff2b724f56831714c157e5f14dd93dd

    SHA256

    46c76dbc711ffae0a690404bf58109ffe4c822302fc4c06dd0c02d0eec8effd0

    SHA512

    44e935be9104982cf3848157d65c621e9b38022cbba27dd4afd52997b9dbbf08a70c579a123411a208c8ff5bcc81355132f049e6d1f1f96851b79315d91e1d5e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1437744dafd32e0139c3f371943ab542

    SHA1

    3c3c9970980a0b60c26b521bd42dc4cdfef77dfc

    SHA256

    7af2cbd78e0edabe341cb969ffe8b7d051360ac73d30a1a04eb68714c9b7b35d

    SHA512

    d3096e398fedc419dbc17fbebe52b9f8500f838a791f9feaf94c46aeef02566a324c8cbd614ea99ae45ccc1c52618397297b040aaeb0657bf9c80b288df85b48

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4eceeb78eb98659e08fb2f628a02eefa

    SHA1

    3b8fc0478103d4c8a9208a8b1bab7183a0c757e0

    SHA256

    92232ffc015d5263d9db1ae362f228053165fa6e5170806b073b69a5f28a96a9

    SHA512

    0fe709748069d9dc7e2481eb7430ad7493e905b7766ad7116830b4ab8bd2cd78ca79b5bdc419758d92054369eb128d7c3869e4d82de27dc084511d573bd08c49

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    13c9cd2f1e275c44598bd4ea4c01d018

    SHA1

    f98fe835d9a6c0403b2968d223ca3de83f2e8369

    SHA256

    f86b74ec5ff01c4591db636d654ce985232f269a33f24e7096c51ce2b87efab2

    SHA512

    c98724f4186c9a316a95c614a88fc5357c7ea27e5527005f7ae415474e3d6f3ac911114641d6a392ceffbd23b7d5ae5f01b3c757ad3daaaa34728badf80d7daa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab4D19.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4D8A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Windows\SysWOW64\rundll32Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/1660-22-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1660-2-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1660-6-0x00000000001E0000-0x000000000020E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1660-23-0x00000000001E0000-0x000000000020E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1660-1-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2244-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2244-19-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2700-11-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2700-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download